Cases access control lists

Case access control lists in Axon Evidence define how cases are classified and who can view or manage them. Each case belongs to one access class—unrestricted, restricted, or confidential—that sets its baseline visibility. Organizations can also grant case-specific access by adding users or groups to an internal access list.

Case access classes

Axon Evidence’s cases functionality uses access classes to control access to cases. Each case in Axon Evidence is assigned to one of the following access classes:

  • Unrestricted
  • Restricted
  • Confidential

Cases can only be assigned to one access class at a time. By default, cases are created in Axon Evidence with the Unrestricted access class. However, users with the appropriate permissions can set the case’s access class either during or after the case creation workflow.

When a case access class is changed to restricted or confidential, all evidence in the case will inherit the case’s access class.

Note

There are no Axon Evidence-specific definitions for the Restricted and Confidential access classes. Your organization should determine how these classes are used within your organization.

User access to case and user permissions

Default access to a case is based on the permissions for a user's assigned role. Role-based permissions affect a user's ability to search for, view, and change the access class for cases.

Each case also has its own Internal Access list, which allows your organization to manage case access inside your agency on an as-needed basis. Users and groups inside your organization can be granted access to a case by being added to the case access list. Users and groups on the case access list are able to view the case and all evidence in the case.

User permissions for case access

The following table provides information on a user’s ability to search for, view, and change the access class for a case for the different permission settings.

Permission Setting Role-Based Access (User) Role-Based Access (Group Monitor) Access List Member
List Unrestricted Cases Prohibited No Cases NA Can search and run reports if on the case access list
List Restricted Cases Prohibited No Cases NA Can search and run reports if on the case access list
List Confidential Cases Prohibited No Cases NA Can search and run reports if on the case access list
List Unrestricted Cases Only Their Own If assigned as case owner NA Can search and run reports if on the case access list
List Restricted Cases Only Their Own If assigned as case owner NA Can search and run reports if on the case access list
List Confidential Cases Only Their Own If assigned as case owner NA Can search and run reports if on the case access list
View Unrestricted Case Prohibited No Case NA Can view case if on the access list
View Restricted Case Prohibited No Case NA Can view case if on the access list
View Confidential Case Prohibited No Case NA Can view case if on the access list
Apply Access Class - Restricted Prohibited Cannot apply access class NA No effect
Apply Access Class - Confidential Prohibited Cannot apply access class NA No effect
Remove Access Class - Restricted Prohibited Cannot remove access class NA No effect
Remove Access Class - Confidential Prohibited Cannot remove access class NA No effect

Case search page views

The information shown to users on the Case Search page and in reports depends on the permissions for the user’s assigned role and if the user has been added to a case access list. Users are only allowed to search for cases that their role grants them permission to list and that they are on the access list for. If a user’s role does not include permission to list a case and the user is not on the access list for the case, then the user will not be able to search for the case and the case will not appear in any reports.

Example: If a user’s assigned role has the List Unrestricted case permission set to Only Their Own and the user is not on any case access lists, then the user will not see any cases that they are not the case owner of, Restricted Cases, or Confidential Cases on the Case Search page.

If a user has list permission for an access class set to Only Their Own, then the user will only see the cases they are assigned as the owner.

Note

This user would not see other users’ Unrestricted Cases, and the Owner search filter is locked with the current user’s name that is signed into Axon Evidence.

Access list information

You can get a snapshot view of the number of users that can access a case by looking at the Internal Access section on the Summary tab of the case details page.
Case detail page with the manage access option highlighted within a yellow box.

A detailed view of user access can be found by selecting the Internal Access list to open the Manage Access page. This page shows the number of users and groups on the access list, the number of users that can view the case due to their role-based permissions, and the access class for the case.

The Manage Access page is also used to add and remove users and groups from the case access list and to change the case access class. Users must have the appropriate permission to apply or remove an access class. Applying the restricted or confidential access class to a case will apply the same access class to all evidence in the case.

Evidence access vs. case access

Axon Evidence provides administrators flexibility in which permissions they grant to their users. It is possible to configure roles in such a way that a user may be able to access a case but not all evidence in the case.

Example: A user role could include permission to list and view all restricted cases, but not include permission to list and view restricted evidence. In this scenario, the user would be able to search for and view the case, but they would only be able to list and view the evidence in the case that either their role grants them default access to or that they are on the access control list for.

You can ensure that a user has access to both a case and all evidence in the case by adding the user to the case access control list.

Change case access class

After a case is created, the access class for the case can only be changed by navigating to the Manage Access page inside a case and manually changing the case access class.

Changing the access class of a case only allows users that are on the case access list or that have list and view permissions for the access class to search for and view the case. Users that do not have list permission cannot see the case on the case search page.

  1. On the case details page, select the Internal Access list to open the Manage Access page.
    Manage access options.
  2. In the Access Class section, select Restricted or Confidential.
    • The system asks you to confirm the change. Since the access class applied to the case will also be applied to all evidence in the case, you will only be allowed to apply the selected access class if you have permission to apply the access class to the case and all evidence in the case. Select Confirm to continue.
    • If you are not already on the access list, you are automatically added to the list. An email is sent to users and groups already on the access list informing them that the case access class was updated but that they still have access.
  3. In the User or Group field, start typing the name, badge ID, or email address of the user or the name of the group. Axon case shows a list of matching users as you enter the information. Select the user or group you want to add to the access list.
    You can add multiple users and groups if they will have the same access duration and access level.
  4. From the Access Level list, select the access level.
    • If Role is selected, the actions a user can take with the case and the evidence in the case depends on the permissions associated with their assigned role.
    • If View is selected, the user can only view the case and the evidence in the case. User-added image
  5. From the Duration list, select the period of time the user can access the case. The default value is Until Removed, which means the user can access the case until they are manually removed from the access list.
  6. Select Add. The user information is added to the list and an email is sent to the user informing them that they have been added to the access list for the case.
  7. Repeat steps 3 through 6 to add other users.
  8. After all users and groups are added, select Done to return to the case details page.

Remove a restricted or confidential access class

The Restricted and Confidential access classes can only be removed from the case details page.

  1. On the case details page, select the Internal Access list to open the Manage Access page.
  2. In the Access Class section, select Unrestricted.
  3. Select Done to return to the case details page.

The restriction on the case is removed, and an email is sent to each user on the access list informing them that the restriction was removed from the case.

Note

Evidence will inherit the case access class if changed to Restricted or Confidential. If a user changes the Case Access Class to Unrestricted, the evidence within the case will not inherit the Unrestricted Access Class and will remain Restricted or Confidential.

Grant case access

Users and groups inside your agency can be granted access to cases from both the case search and case details pages. However, case access lists can only be modified from the case details page.

Add users and groups to an Internal Access list from the Case Search page

From the Case Search page, you can add users and groups to the access list for multiple cases at the same time.

Note

This procedure can also be used to add users and groups to the access list for cases with a Restricted or Confidential access class.

  1. Search for the cases you want to grant access to.
  2. In the search results, select the checkbox to the left of the Case ID for each case file that you want to grant access to.
  3. Select Grant Internal Access to open the Manage Access page.
  4. From the Access Level list, select the access level for the user:
    • Role: The actions a user can take on the case and evidence in the case depend on the permissions associated with their assigned role.
    • View: The user can only view the case and the evidence in the case.
  5. From the Duration list, select the period of time the user can access the case.
    • The default value is Until Removed, which means access to the case is granted until the user or group is manually removed from the access list.
  6. In the Add Access field, start typing the name, badge ID, or email address of the user or the name of the group.
    • A list of matching users or groups will be displayed as you enter the search criteria. Select the user or group you want to add to the access list.
      Note

      If you incorrectly add a user or group to the list, you can remove them by selecting Remove, and then selecting Remove to confirm.

  7. Repeat the above step to add other users and groups.
  8. Select Save.

A dialog box showing that access was granted is displayed. Select Close to continue.

An email is sent to each user informing them that they have been added to the access list for the selected cases.

Modify an Internal Access list

You can modify the access duration and the access level for users and groups on the Case Access Control List from the case details page.

Note

This procedure can be used to modify access information for a case with a Restricted or Confidential access class.

  1. On the case details page, select the Internal Access list to open the Manage Access page.
  2. In the access list, select Edit next to the user or group you want to modify.
  3. Select the access level and duration as needed.
    Manage access page showing a list of users and groups with options to set their access type and duration.
  4. Select Save.

Repeat steps 2 through 4 for other users or groups in the list.

When you have finished modifying access information, select Done to return to the case details page.

Remove users and groups from the Internal Access list

Users can only be removed from the Internal Access list for a given case from the case details page.

Note: This procedure can be used to remove users from the access list for a case with a Restricted or Confidential access class.

  1. On the case details page, select the Internal Access list to open the Manage Access page.
  2. In the access list, select Remove, and then select Remove to confirm.
  3. The user or group is removed from the list, and an email is sent to the users informing them that they have been removed from the access list for the case.

Repeat step 3 to remove other users and groups from the list.

When you have finished removing users, select Done to return to the case details page.